{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7810", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-18T15:18:46.189Z", "datePublished": "2025-07-29T03:41:21.378Z", "dateUpdated": "2026-04-08T17:17:10.681Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:10.681Z"}, "affected": [{"vendor": "streamweasels", "product": "StreamWeasels Kick Integration", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.1.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'data-uuid' attribute in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "StreamWeasels Kick Integration <= 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b564eacd-1561-4c42-8a9e-395d4e951723?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/streamweasels-kick-integration/trunk/public/js/streamweasels-kick-public.js#L574"}, {"url": "https://plugins.trac.wordpress.org/changeset/3335307#file11"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Gai Tanaka"}], "timeline": [{"time": "2025-07-18T15:33:56.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-07-28T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-29T13:47:43.800242Z", "id": "CVE-2025-7810", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-29T13:47:50.448Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7810", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-29T13:47:43.800242Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-29T13:47:48.270Z"}}], "cna": {"title": "StreamWeasels Kick Integration <= 1.1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Gai Tanaka"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "streamweasels", "product": "StreamWeasels Kick Integration", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.1.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-18T15:33:56.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-07-28T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b564eacd-1561-4c42-8a9e-395d4e951723?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/streamweasels-kick-integration/trunk/public/js/streamweasels-kick-public.js#L574"}, {"url": "https://plugins.trac.wordpress.org/changeset/3335307#file11"}], "descriptions": [{"lang": "en", "value": "The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'data-uuid' attribute in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:10.681Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7810", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:17:10.681Z", "dateReserved": "2025-07-18T15:18:46.189Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-29T03:41:21.378Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The StreamWeasels Kick Integration plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'data-uuid' attribute in all versions up to, and including, 1.1.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento StreamWeasels Kick Integration para WordPress es vulnerable a Cross-Site Scripting almacenado a trav\u00e9s del atributo 'data-uuid' del complemento en todas las versiones hasta la 1.1.4 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-7810", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-07-29T04:15:57.350", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/streamweasels-kick-integration/trunk/public/js/streamweasels-kick-public.js#L574"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3335307#file11"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b564eacd-1561-4c42-8a9e-395d4e951723?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:35:01.654348+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to version\u00a01.1.5 or newer, which removes the vulnerable attribute handling.", "Restrict contributor\u2011level and higher roles to trusted users only, minimizing the pool of accounts that could inject the script.", "Implement a Content Security Policy that disallows inline scripts and limits executable content to trusted sources to mitigate accidental execution of injected code."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All releases of the StreamWeasels Kick Integration plugin up to and including version\u00a01.1.4 are affected. Sites that employ these versions and have users with contributor or higher roles are vulnerable until the issue is addressed.", "description_and_impact": "The StreamWeasels Kick Integration plugin for WordPress includes a stored cross\u2011site scripting flaw that permits authenticated users with contributor or higher privileges to inject malicious JavaScript into the data\u2011uuid attribute. The plugin fails to sanitize or escape this attribute when rendering page content, so the injected script runs automatically in the browsers of any visitor who views the affected page. This allows the attacker to execute arbitrary client\u2011side code, potentially defacing content, phishing users, or delivering further payloads.", "risk_and_exploitability": "The weakness has a CVSS score of\u00a05.4, indicating moderate severity. The EPSS score is below\u00a01\u202f%, suggesting a low probability of exploitation in the wild, and it is not listed in the CISA KEV catalog. An attacker must first authenticate as a contributor or higher, then use the plugin\u2019s interface to persist the malicious script; once stored, the payload executes for all subsequent page viewers."}}}}, "created": "2025-07-29T10:00:56.256297+00:00", "updated": "2026-04-21T19:45:16.073971+00:00", "vendors": ["streamweasels", "streamweasels$PRODUCT$kick_integration", "wordpress", "wordpress$PRODUCT$wordpress"]}